nmap command line examples

Nmap is a commonly used utility in the security world. The default nmap scan is pretty good but there are a number of options to make your scans more informative and or more efficient.

My current set of command line options varies slightly depending on what I am looking for, but it generally starts with something the looks like this:

  1. nmap  -PN -sU -sS -sV -sC -oA nmap-scan-%D-%T -O --webxml --reason ,

This scans two networks, and In my case I have two subnets at home with routing between them. This would let me see the whole network at a glance.

  • The -PN option does not use ping (ICMP) to test to see if a host is alive before scanning it.
  • The sU, sS sV option enables UDP service discovery.
  • The sS option scans for TCP services using the SYN TCP Connect method. This is pretty reliable as it mimics a legitimate connection attempt.
  • The sV option tells nmap to connect to these services and find out what version they are running. This is useful for finding exploitable services.
  • The -oA outputs all 3 file options. This is handy as the human readible output can help you figure out what to look for. The other output formats can then be parsed with 3rd party tools once you know what you are looking for. The Nmap Parser and the Pauldotcom.com Rogue AP detector script are good examples of these 3rd party tools that you would use to dig through nmap log data.
  • the --webxml provides a more readable xml output
  • --reason gives more information on UDP scans. Since UDP is a connectionless prototcol, there can be some challenges in interpreting the results that nmap gives you. This option can help you track down what is going on

Sometimes I will toss in a --packet-trace which shows the raw packets that were sent and received. Handy for troubleshooting weird results.

The guys over at pauldotcom.com cobbled together this set of options that check for ports specific to wireless access points. I will dissect and explain their options below.

  1. nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4

The main difference is that they are scanning a reduced number of ports with -p command. The T and U options specify TCP and UDP respectively.

These ports are used to specifically tune nmap for finding wireless access points (ports 1900 and 5353 are typically used for UPnP services... you do have that turned off right?).

The other main difference is that they use the -n and -T flags. The -n flags turns off DNS lookups on IPs. This can speed up a scan but often the DNS name can give you more information, such as the purpose of this machine.

The -T option is related to timing. I have never really messed with the timing options except to make scans run more slowly. Accuracy if of prime importance to me, but there are cases where you simply don't have the time.

A minor difference is that I use the %T and %D in the file name output. This puts the time and date directly into the filename. In the old days you had to do this manually by inserting the date via another command (eg. -oA myscan-`date +%Y%m%d-%H%M`).

For more information there is a ton of information over at http://www.insecure.org. Even if you are a non-coder like me, there is a lot of information in the source code itself (hint nmap.cc is a useful file).